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Abstract 

Secret sharing and multiparty computation (also called "se- 
cure function evaluation") are fundamental primitives in 
modern cryptography, allowing a group of mutually distrust- 
ful players to perform correct, distributed computations un- 
der the sole assumption that some number of them will fol- 
low the protocol honestly. This paper investigates how much 
trust is necessary - that is, how many players must remain 
honest - in order for distributed quantum computations to be 
possible. 

We present a verifiable quantum secret sharing (VQSS) 
protocol, and a general secure multiparty quantum com- 
putation (MPQC) protocol, which can tolerate any L^y^J 
cheaters among n players. Previous protocols for these 
tasks tolerated [-^-^J m ^ L^TT"] cheaters, respectively. The 
threshold we achieve is tight — even in the classical case, 
"fair" multiparty computation is not possible if any set of 
n/2 players can cheat. 

Our protocols rely on approximate quantum error- 
correcting codes, which can tolerate a larger fraction of er- 
rors than traditional, exact codes. We introduce new families 
of authentication schemes and approximate codes tailored 
to the needs of our protocols, as well as new state purifica- 
tion techniques along the lines of those used in fault-tolerant 
quantum circuits. 



1 Introduction 

Secure multiparty computation has been studied extensively 
in the classical setting (see ifTTl for a survey) and was ex- 
tended to the quantum setting by [12J. A secure quantum 
multiparty protocol (or secure function evaluation) allows n 
participants Pi, . . . , P n to compute an n input quantum cir- 
cuit where each player Pj is responsible for providing one 
of the input states. The output of the circuit is broken into 
n components H i ® . . . ® H n and Pj receives the output 



Hi. Note that the inputs are arbitrary (possibly entangled) 
quantum states and each player simply has his input in his 
possession — he does not need to know its classical descrip- 
tion. Informally we wish to achieve the same functionality 
as if each player were to hand his input to a trusted third 
party who would evaluate the circuit and distribute the out- 
puts. Moreover we wish to do so even when up to t players 
are faulty. 

In the quantum setting it seemed at first that the best one 
could hope for is to tolerate t < n/4 faulty players sim- 
ply because (exact) quantum error correcting codes (QECC) 
cannot recover from more errors. Indeed the best previously 
known verifiable quantum secret sharing protocol can toler- 
ate t < n/4 faulty players, and the best secure quantum mul- 
tiparty protocol tolerates only t < n/6 faults ifTSlH . How- 
ever, approximate QECCs exist lfl3l that can recover (with 
high probability) from the corruption of t < n/2 shares, and 
their discovery paved the way to this paper. 

Main Result Assuming pairwise quantum channels and a 
classical broadcast channel between n players, there ex- 
ists a universally composable, statistically secure multiparty 
quantum computation protocol, that tolerates an adaptive 
adversary controlling up to t < n/2 faulty players. The 
complexity of the protocol is polynomial in the number of 
players and the size of the circuit. 

Note: Tolerating t > n/2 faulty players is not possible in our 
model without computational assumptions. This follows, for 
example, from the impossibility of unconditionally secure 
quantum bit commitment for two players (see lfT5l for a re- 
cent discussion). 

In our setting, universally composable classical secure 
multiparty computation is possible [23, 7 20 1 and, crucially, 
the proofs of composability hold even in the quantum UC 



'The preliminary version of [12] claims that the n/4 bound is tight for 
VQSS; however, the bound holds only for errorless protocols. See ['13") for 
a discussion. 
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model |6|. One strategy we use extensively is to reduce the 
quantum multiparty computation to a secure computation on 
classical keys. 

Protocol Overview Our protocol follows the basic "share- 
and-compute" paradigm of classical distributed protocols. 
Players use a quantum version of verifiable secret sharing 
(called VQSS) to distribute an encoding of their input. They 
then perform the circuit, gate by gate, on these encoded val- 
ues. The circuit's outputs are then sent to appropriate players 
by opening the VQSS. 

The structure of the verifiable sharing is similar to clas- 
sical protocols, with several important differences. First, 
the encoding used in the VQSS combines error-correction 
and authentication in a novel way. Authenticating quantum 
data requires encryption, and new tools are required to ma- 
nipulate encrypted data. In particular, we can often push 
the complexity of the quantum computation into a classi- 
cal computation on the authentication (or encryption) keys - 
this computation can be performed with classical tools. One 
of our contributions is a family of self-dual authentication 
codes, which make these classical computations simpler to 
represent. 

Second, the error-correcting code underlying the proto- 
cols is an "approximate" code which tolerates any t < n/2 
errors, similar to that in lfl3ll . In order to perform a full 
(dense) set of operations fault-tolerantly on these encodings, 
we develop a procedure for purifying encodings of "Toffoli 
states", whose creation is sufficient to perform a Toffoli gate. 

Finally, because quantum data cannot be cloned, the 
dealer does not use his actually data in the sharing protocol 
until after the sharing is successfully completed - he then 
inputs his data via teleportation. 

This Abstract The basic authentication code, and opera- 
tions required on authenticated data, are described in Sec- 
tion 12 Sections [3] 2] and [5] build up the pieces necessary 
for VQSS. Section [3] extends the authentication scheme to 
verified state authentication, in which a dealer can prove to 
another player that a message is correctly authenticated via a 
key shared among all players. The next step is weak VQSS, 
which plays the role of a classical commitment scheme: the 
dealer shares a state in such a way that he cannot change 
it, but may refuse to open it at a later stage (Section |4|. 
Section[5]explains the final layer needed for VQSS. Finally, 
Sections [6] and [7] give the purification procedure for Toffoli 
states and a sketch of the simulation argument showing that 
the whole protocol is secure. 

The Network Model We assume a synchronous network 
(with rushing) in which pairwise secure quantum channels 
exist between any two players, and a classical broadcast 
channel connects all players. 



The Adversary We assume that the adversary is compu- 
tationally unbounded, and that she fully coordinates the ac- 
tions of all faulty players. She may corrupt players adap- 
tively during the course of the protocol. There are two limi- 
tations to this: (1) At most i < § players may become faulty 
during the course of the computation; (2) the adversary has 
access only to the information of the corrupted players she 
currently controls. We call the non-faulty players honest. 

All protocols we present have a success probability ex- 
ponentially close to one (also called an exponentially good 
probability) in some security parametefl 

2 Quantum Authentication 

In our construction of Multiparty Quantum Computation 
(MPQC) we use a quantum authentication scheme (QAS), 
such as that proposed in [3]. Any QAS based on a quan- 
tum CSS code can be used, but some later protocols become 
simpler when the QAS is based on a self-dual code. There- 
fore our first contribution is a family of self-dual Quantum 
Authentication Schemes. We will build a scheme which is 
exponentially secure in some arbitrary security parameter 
m = 2d+ 1, where d is a parameter of the code. The scheme 
is not optimal in terms of redundancy or error probability, 
but it is sufficient for our purposes. 

When using this scheme in the computation, we will as- 
sume that in is larger than the security parameter of the Mul- 
tiparty Computation times the number of players. Let p be 
a prime, m < p < 2m. All the algorithms we propose will 
manipulate qudits in Z p . 

The scheme will be based on a classical key which will be 
composed of two parts: k%, . . . ,k m G_r {±1} and a string 
x G_r {0, l}2miog 2 (p) The dealer wi n then apply two ti. ans . 

formations: 

First, in a way quite similar to the stretched polynomial 
code, the dealer will apply 

\S a )^p- d/2 \kixf(a 1 ),...,k m xf(a m )), 

de S (/)<d 
/(0)=<x 

where oti, . . . , a m 6 1 p are distinct nonzero points known 
to all players. 

Then, very much like the Quantum Authentication Code 
of 1 3j, the dealer will encrypt the state by applying a random 
Pauli operation on each part of the state. This will create a 
stretched and shifted polynomial-like code. The encryption 
will be denoted as E x , so we will have ip = E x Ak(4>). 

2 As proved in 1121 , Verifiable Quantum Secret Sharing and Multi- 
party Quantum Computation with more than n/4 faulty players must have 
some probability of failure. Therefore, the Multiparty Computation pro- 
tocol we present will have an exponentially small probability of failure 
in some security parameter. Let S be the value of this parameter, and 
C the size of the quantum circuit we want to securely evaluate. Our al- 
gorithms will be polynomial n, S and C. Setting a security parameter 
s = S + n 2 + log C + O(l) in all our subprotocols is sufficient to guar- 
antee that the overall failure probability will be bounded by 2~ s . 
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Note that the authentication (without the encryption) is 
self-dual. To see this, we apply the Fourier transform on 
the code transversely as in HI, getting Fourier(\S a )) — 
P~ 1/2 J2b u ab \S b ). This gives: 

\s' b )= P - d/2 IK 1 xfM---,k^xfM, 

deg(f)<d 
f(0) = b 

which is equal to |5&), as k^ 1 = hi. The combined code 
E x Ak remains self dual — the Fourier transform on E x is 
equivalent to a change in the classical key x. 

Security of the Quantum Authentication Scheme After 
the encoding, an adversary can try to tamper with the infor- 
mation as she likes, but without knowledge of (x, k) = K. 

Finally the receiver takes as input the system p', and tries 
to return to the encoded state based on k,x. We will apply 
definitions 1 and 2 of [3|, and say that the receiver's output 
lies in a Hilbert space M ® V, where M has a size of m 
qubits (the size of the original state) and V is a Hilbert space 
of dimension 2, with basis states |ac), | re). Define projectors 

= <g> I v + I M ® |re)(re| 

-IVXV'I ® |re) {re| 
- (/ M -|^)(Vl)®|ac)(ac| 

Lemma 2.1. In expectation over k and x, for any encoded 
state and for any action taken by the adversary, the re- 
ceiver's output has exponentially good fidelity to the space 
spanned by P] If the adversary did not change the au- 
thenticated state the output will be the original state ten- 
sored with |ac). 

The proof of the lemma appears in the final version. 

Actually, this security definition is not quite sufficient for 
our purposes, since we need the authentication to remain se- 
cure in a variety of contexts. We adopt the Universally Com- 
posable definition of [ 1 8 1 with a TTP: That is, the sender 
passes the state to the TTP. The adversary then gets to de- 
cide whether the TTP gives the correct state to the receiver, 
or instead the state | re). Hay den et al [18| show that the 
class of QAS described in [3|, including the code above, re- 
main secure with respect to this stronger definition. 

We also need the authentication scheme to remain secure 
when it is applied to many states authenticated with the same 
k but different x's. The proof is essentially the same: we can 
treat the combined system as a single large authentication 
scheme which fails if even one of the states fails the authen- 
tication test. It is again sufficient to consider attacks where 
the adversary applies a Pauli matrix, and the argument above 
shows that she is likely to be caught if she attacks even a sin- 
gle state in this way. 

3 In particular, with exponentially good probability over k, x, the fidelity 
is exponentially close to 1. 



Operations on Authenticated Quantum Data A key ad- 
vantage of the code we present is that it is possible to per- 
form Clifford operations on coded data when one party holds 
the classical keys and the other party holds the data. In 
all cases, we can do this by performing transversal opera- 
tions on the quantum state (that is, separate quantum gates 
on each share), and some corresponding transformation of 
the encryption key x. For instance, the Fourier transform 
can be done applying the Fourier transform transversally 
and changing the key x — {xq,x\) to x' — {x\,xq), and 
the modp SUM gate by transversal SUM gates while trans- 
forming the keys x = (x 0} xi), y — (yo,Ui) to x' — 
(xq,xi — y\), y' — {xq + yo,yi)- Measurement can be 
performed by measuring each qudit to get a classical word, 
which can be decoded with the help of the key. 
A few properties of the code are: 

1. The new states are still correctly authenticated. 

2. Only the correct gate leaves the states correctly authen- 
ticated (since a different gate would require a different 
transformation of x). 

3. Performing any of these operations does not give any 
new data on the keys. This is important in the case of 
CNOT, where knowing the key x' of one of the states 
after the operation does not give any information on the 
key y' of the other state. 

Measuring an authenticated state according to the stan- 
dard basis yields a random codeword which is multiplied 
and shifted. Changes to the codeword without knowledge of 
the keys is equivalent to applying X operations on the quan- 
tum state, and has the same probability of getting caught. 

Handling keys In the following sections we will want to 
manipulate the classical keys in many ways. We will use an 
imaginary classical Trusted Third Party, which implements 
classical multiparty computation. From now on, all classical 
keys of authenticated data will be sent immediately to this 
Third Party, which will tell the players the meaning of their 
actions based on those keys. While such a TTP does not 
exist, we can simulate it using (for example) the classical 
multiparty computation of 1 23 1 . 

3 Verified Quantum State Authenti- 
cation 

In this section, we force the dealer to send each honest player 
a correctly authenticated message, using the QAS of section 
|2] A dealer who does not comply will be revealed as faulty 
in front of all the players and is kicked out. In the first sub- 
section, we show how to force the dealer to send correctly 
authenticated zero states to every honest player. We later 
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transform the zero states to EPR pairs shared between play- 
ers, and then pass other states using quantum teleportation. 
The algorithms succeed only with high probability. 

Sending "Verifiable" Authenticated Zeros Let D be a 

dealer, who should send states of the form Auth(k,x)(\0)) to 
all players. The problem is that later in the protocol, players 
are required to present states which have been authenticated 
by the dealer. There would then be no way to distinguish be- 
tween an honest player who was originally given bad states 
by a faulty dealer and a corrupted player who changed the 
states she received from an honest dealer. To solve this prob- 
lem we incorporate the following protocol, which guarantees 
that with exponentially good probability either the dealer is 
caught, or every honest player has a large number of |0) 
states authenticated by the dealer: 



Protocol Zero-Share (Dealer D, r-copies to each player) 

1 . D chooses one random key k, and creates many states 
of the form Auth^ x ^(\0)) for many different x's (all 
x's are chosen at random). 

2. D sends each player many ((r+2s)(£+l)) such states. 

3. D sends all the keys to the classical TTP. 

4. Each player Pj performs purification on his states. A 
purity testing protocol for zeros which spends 2s states 
is given later. The results of the measurements are sent 
to the TTP. 

5. The TTP returns each player a bit indicating whether 
everything was alright with her states. This gives fi- 
delitySof 1 — p s to the statement that either Pj's states 
are authenticated zeros or the dealer is caug htbyPfl 

6. For each player i, if Pj caught the dealer she complains 
about him. If there are more than t complaints the 
dealer is faulty. 

7. Each player who did not complain distributes r + 2s of 
her states to each player who did complain. 

8. Each complainer Pj does the following: for all j, using 
the zero purity test protocol and with the help of the 
TTP (as before P l only measures and the TTP tells 
him if the states are good), go over the states you got 
from Pj. Find a player Pj who you can trust (i.e., Pj 
gave Pi states which were correctly authenticated by 
the dealer). 



In calculating the fidelity we assume that all the authentication checks 
succeeded. 

5 A more formal definition can be cast by letting Pi output |ac), | re) 
as before and then we have high fidelity to the state of authenticated zeros 
tensored with |ac) or anything else tensored with | re) 



Lemma 3.1. In the last stage of the protocol, with high prob- 
ability every honest player will have zero states which were 
authenticated by the dealer. 

Proof. At most t players complained about the dealer in step 
6. This means that at least one honest player got authenti- 
cated zeros, and she will pass them to all the complainers. 
Therefore, if after the last step a player complains that she 
doesn't have any authenticated states she is faulty. □ 

Lemma 3.2. The adversary has no new information about 
the key k used by the dealer or about the x 's in the surviving 
zero states. 

Proof. For all i, all the measurements made by Pj give ran- 
dom values, and players are only told by the TTP that the 
check succeeded. □ 

Note that the protocol has an exponentially low probabil- 
ity to fail completely. This could happen (for example) if 
the dealer sends non-zero states, but a single honest player 
is fooled by the dealer. This will mean that the dealer will 
not be considered faulty in step 6, and all the honest players 
will fail in the last step. 

The protocol requires a method of testing that a set 
of states are (close to) correctly authenticated zeros. We 
present such a zero purity test in appendixlAl 

Generating Authenticated EPR pairs To share an au- 
thenticated EPR pair with the dealer, Pj takes two authenti- 
cated zeros, and using the classic TTP, performs a transver- 
sal Fourier on one of them, and then a SUM. Pj then sends 
D one half of the pair. 

In order to see the security of the protocol we need to look 
at two cases: 

1. Pj is honest but the dealer is faulty: Pj holds zeros 
which were authenticated by the dealer (as the dealer 
was not kicked out of the protocol Zero-Share). The 
rest of the protocol depends on Pj. 

2. The dealer is honest but Pj is faulty: The EPR pairs 
which are authenticated by the dealer will be used to 
pass information from the dealer to Pj using quantum 
teleportation. A faulty Pj could send the dealer a state 
which is not part of an EPR pair (say by destroying the 
other half or passing some junk), but this does not add 
cheating power, as it is equivalent to destroying the data 
the dealer is trying to give to P0. 



As we saw, the dealer can not fail this protocol. Therefore, after using 
it, Pi will be considered responsible if anything goes wrong. This alone 
makes the protocol secure against a faulty Pj and an honest dealer. 
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4 Weak Quantum Secret Sharing 
(WQSS) 

Weak Secret Sharing Il22ll23l is a protocol with two phases. 
It provides similar functionality to a classical string com- 
mitment scheme, replacing computational assumptions with 
the cooperation of the honest majority. In the first phase, 
the dealer shares a (quantum) state (the secret), among all 
the players, such that the faulty players have no information 
about the state. In the second phase, the (quantum) data is 
sent to a reconstructor (sometimes called the receiver), who 
reconstructs the secret. We demand that if the dealer is hon- 
est the reconstructor can reconstruct the secret shared. If 
the dealer is faulty during the sharing phase some state must 
still be determined. However, if the dealer is faulty during 
the reconstruction phase the bad players can make sure that 
no state is reconstructed. In the case where no state is recon- 
structed the reconstructor will know that the dealer is faulty. 
At the end of the sharing phase, the players have a state en- 
coded in the quantum error-tolerant secret sharing scheme 
of ifTSl . but with an additional security guarantee in the case 
where the dealer is faulty. As before, we only want our pro- 
tocol to succeed with high probability. 
We give a formal definition using a TTP: 

1 . The dealer D sends TTP a state p, or no state at all. If 
D did not send a state the TTP notifies all the players 
that this is the case and the protocol ends. 

2. Otherwise, at the reconstruction phase, a reconstructor 
R is chosen. 

3. If D is honest, the TTP sends the state p to R. If D is 
faulty, she can tell the TTP not to send the state. In this 
case the TTP tells the reconstructor that D is faulty. 

The difference between this variant and Verifiable Secret 
Sharing lies in step 3 of the definition, where D has a chance 
to ruin a previously shared state. 

Protocol Before the protocol starts (this will be a prereq- 
uisite to all our protocols from now on) we assume that 
the dealer has some secret authentication key kdeaier- The 
dealer will use this authentication key with many random 
encryption keys. 

We maintain the invariant that an honest player will never 
(with high probability) think that another honest player is 
faulty. Therefore if more than t players blame the dealer, 
she is truly faulty and can be kicked out of the protocol. 

We give the detailed sharing protocol for WQSS in ap- 
pendix|B] The outline of the procedure is as follows: 

1. The dealer encodes a number of zero states using a 
quantum polynomial code, and transmits the shares to 
the players using the authenticated channel from sec- 
tion [3] 



2. The players and the classical TTP collectively test that 
the states are zeros, and are correctly encoded via 
transversal random sums. 

3. The players use the shared zero states to create a shared 
EPR pair. Half of it is returned to the dealer, who de- 
codes it and teleports his state through the EPR pair. 

The protocols we present later use the WQSS but will 
never use its reconstruction. Therefore we present a naive 
protocol which relies on revealing the keys. Reconstructing 
the secret can be made by sending all the quantum data to the 
reconstructor, as well as the key k and the relevant computed 
x keys. The reconstructor will open up the authentication of 
all the states, measure the second qubit (|ac) or | re)) and use 
only the correctly authenticated points. If they are all from a 
degree t polynomial code she will reconstruct \tp) ; otherwise 
the dealer is faulty. This sort of reconstruction, however, 
spoils the secrecy of key kdeaier, which we need through- 
out the entire quantum computation. Therefore we will not 
use the WQSS as presented here. Still, for completeness of 
the paper we temporarily assume this naive reconstruction, 
and discuss the security of the protocol. We also assume the 
reconstructor is honest, because she gets all the data anyway. 

Lemma 4.1. If the dealer is honest, the protocol is secure. 

Proof. We first prove that the protocol works, and then 
prove the secrecy of the data. As the dealer is honest, en- 
coded zeros are being sent by the established authenticated 
channels. With high probability, all the measurement results 
which are sent to the TTP are either the right results or they 
will be discarded (because of the authenticated channels). 
This means that with high probability an honest dealer will 
pass the test done by the classical TTP. 

In the final step, the dealer will get a state encoding half 
an EPR pair, and she can decode as there are at least t + 1 
correctly authenticated shares (given by the honest players). 
The honest dealer can then transmit her qubit. 

Reconstruction of the secret is possible, when consider- 
ing the initial encoding with a t degree polynomial as an 
erasure code, and discarding shares which are not correctly 
authenticatec0 as these shares came from bad players. The 
reconstructor has at least t + 1 points which define the secret 
(the points held by the honest players), so she can retrieve 
the original state@. Secrecy follows from the no-cloning the- 
orem and the ability of the reconstructor to reconstruct the 
right state. See lfl3l for a more complete proof of secure 
reconstruction. □ 

Lemma 4.2. If the dealer is faulty, the protocol is secure. 

'Formally, the first thing the receiver is doing is to open the authentica- 
tion using the help of the classic TTP. The receiver then measures the last 
qubit (|ac) or | re)). 

8 Actually the reconstructed state has exponentially good fidelity to the 
original state tensored with | ac) . 
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Proof. Security in this context only means that after the 
sharing phase the state has been set, and can no longer be 
changed by the dealer. This means (for example) that the 
adversary knows the secret (he can choose it in the begin- 
ning of the protocol) and the only thing we should actually 
take care of is that the adversary will not be able to change 
the secret after the sharing phase (although he is allowed to 
prevent its decoding). To see that this is the case we follow 
the paths of the shares held by the players who are honest in 
the reconstruction phase. If the dealer passes the purity test 
done by the classical TTP, the two shared states have high 
fidelity to shared zeros. Therefore, in step 5 (the last step of 
the preparation), the honest players hold a state which has 
a high fidelity to an EPR-half encoded in a degree t quan- 
tum polynomial code. Whether or not the dealer teleports a 
quantum state, there is an invariant: namely, that the states 
the honest players hold form t + 1 points of some degree t 
polynomial code, where each such point is authenticated by 
the dealer. (Note that if, for example, the dealer measures 
her half of the EPR pair, the state collapses, but we still have 
a polynomial code encoding a classical state where all the 
points are authenticated.) Therefore, in the reconstruction 
phase there are only two things which can happen: 

1 . The state reconstructed is the state encoded by the hon- 
est players' shares of the polynomial code, which was estab- 
lished in the sharing phase. 

2. An authenticated share which does not sit on this poly- 
nomial code appears. In this case, w.h.p. no secret will be 
reconstructed (as there is no degree t polynomial code which 
fits all the authenticated points) and the reconstructor knows 
that the dealer is faulty. □ 

5 Verifiable Quantum Secret Sharing 

Verifiable Quantum Secret Sharing is also a protocol with 
two phases. In the first phase, the dealer shares a quantum 
state (the secret) among all the players, such that the faulty 
players have no information about the state. In the second 
phase, the quantum data is sent to a reconstructor, who re- 
constructs the secret. We demand that the value which the 
reconstructor reconstructs is set during the sharing phase of 
the algorithm. As before, we only want our protocol to suc- 
ceed with high probability. 

The main difference between VQSS and WQSS is the 
dealer's capability to ruin the secret after it has been shared. 
Our main technique in solving this problem is based on the 
2-Good-Trees of MUM or the VQSS of EH. The idea is to 
share a secret using a WQSS, and then share each one of the 
shares using WQSS. This means that the faulty players no 
longer have control of their shares. They can eliminate their 
shares by causing the WQSS reconstruction to fail, but can- 
not change them to some other state which could spoil the 
dealer's original state. Note that one of the last steps of the 
protocol we present, in which the authentication of the first 
layer is removed, is only needed for the full MPQC protocol. 



We give a definition of Verifiable Quantum Secret Sharing 
using a TTP: 

1 . The dealer D sends TTP a state p, or no state at all. If 
D did not send a state the TTP notifies all the players 
that this is the case and the protocol ends. 

2. Otherwise, at the reconstruction phase, a reconstructor 
R is chosen and the TTP sends her the state. 

Protocol As in WQSS, the sharing phase will have a long 
preparation part and then a simple sharing part. During the 
preparation the dealer will use a temporary authentication 
key kdeaier in addition to the standard authentication chan- 
nels we've established. As a preliminary step to the algo- 
rithm an authenticated channel is created with this key, and 
the key will be revealed to all the players at the end of the 
preparation. To sum up, the protocol for VQSS will demand 
two kinds of secret authentication keys: 

1 . The dealer has a temporary key kdeaier for the first level 
of the tree. When sharing more than one secret in the 
MPQC each secret will have a new random key. 

2. Each player Pj will have a constant secret authentica- 
tion key k % for the second level of the tree. These keys 
will be constant throughout MPQC. 

In addition, each authentication has a random encryption 
key x associated with it, as usual a different one for each 
state. 

We give the detailed VQSS protocol in appendix [C] 
Briefly, it consists of the following steps: 

1 . The dealer shares encoded zero states using WQSS, and 
then each player further shares the state he receives, 
again using WQSS. The players and the classical TTP 
collectively check whether the states have been cor- 
rectly shared and if they are in fact zeros. 

2. The players use the shared zero states to create a shared 
EPR pair. Half of it is decoded and returned to the 
dealer. 

3. Remove the top-level authentication (which uses the 
temporary key kdeaier) from the EPR pair using 
transversal Clifford group operations. 

4. The dealer teleports his state through the EPR pair. 

We note that it is possible to perform transversal Clifford 
operations between two shared secrets. The proof of this 
is very similar to the possibility of performing transversal 
Clifford operations on coded states. The only subtle point is 
that secrets shared by different dealers are actually protected 
in the same way (as we remove kdeaier)- 

We describe the reconstruction protocol here, and defer 
the security proof of both protocols to appendix ICl Like the 
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sharing protocol the reconstruction uses a one-time authen- 
tication key kreconstructor (with appropriate authenticated 
quantum channels), and the same player keys k % . 



Protocol Reconstruct- VQSS (Reconstructor R, Key for re- 
construction k reconstr uctor, Player Keys fc\ 1 < i < n) 

1. Reconstructor: Create an EPR pair and share it as in 
Share- VQSS. This includes a tree of height 2 and tak- 
ing out the top level authentication, but excludes the 
final teleportation step. 

2. All players and Reconstructor: Use quantum teleporta- 
tion on the previously shared secret and on the recon- 
structor's shared EPR pair half to transfer the secret to 
the reconstructor' s EPR-half which is still held by her. 
This is possible as after the removal of k re constructor 
the codes of the dealer and reconstructor are actually 
identical, and it thus is possible to perform Clifford op- 
erations between their secrets. 



Again we begin by assuming that the reconstructor is hon- 
est. We have two lemmas which together prove the security 
of the combined sharing-reconstruction protocol. 

Lemma 5.1. If the dealer is honest, with exponentially good 
probability the faulty players cannot affect the reconstruc- 
tion of the secret. Moreover, no player but the receiver 
learns anything (in the information theoretic sense) about 
the secret. 

Lemma 5.2. If the dealer is faulty, with exponentially good 
probability he can not change the secret he shared. More- 
over the faulty players do not learn k l values for honest play- 
ers. 

Both lemmas are proved in appendix [Cl 

If the reconstructor is faulty, the only secret we are trying 
to protect is the player keys k % . Their security stems from the 
security of performing Clifford group operations on coded 
states. 

6 Multiparty Quantum Computation 

Our VQSS scheme already resembles Multiparty Quantum 
Computation in the ability to share a few secrets in parallel 
(all with the same player authentication keys k 1 ), and use 
Clifford operations between them. In order to complete this 
to a Multiparty Quantum Computation we need to add a Tof- 
foli gate. We base the creation of the Toffoli gate on a shared 
Toffoli state a la l24l . and the sharing of our Toffoli state on 
the ideas of the Power- Tables in 11231 . 

Let | ^2 a b \a,b, ab) be the Toffoli State. It is well-known 
that it is possible to perform a Toffoli on any state using 
Clifford operations and this state. 



Sharing the Toffoli state can be done by our protocol for 
VQSS. We begin by sharing many Toffoli states which are 
only polynomially gooc0 and then use a fault-tolerant mul- 
tiparty computation (for example [T)) to create an exponen- 
tially good Toffoli state from an encoded zero. The poly- 
nomially good states are created by some arbitrary player. 
If the player fails to create polynomially good Toffoli states 
she is faulty and is kicked out of the protocol. 



Protocol Create-Toffolis (Arbitrary Dealer Pi, Player Keys 
k l for 1 < i < n) 

1. Pf. Share a polynomially large number of Toffoli 
states. 

2. All players: Run state tomography on all but a poly- 
nomial fraction of the shared states to check the states 
sent by Pi. If Pi is caught not sending Toffoli states, 
she is kicked out. Otherwise, the states sent have a 
polynomial fidelity to the Toffoli state. 

3. All players: Using the states which were left (many 
states were opened up in the previous step), create an 
error correcting computation which creates a Toffoli 
state with exponential fidelity from the polynomially 
good Toffoli states. This can be done using the pro- 
tocol described below, which uses standard techniques 
of noisy computation such as (TJ. 



In appendix [D] we present a protocol especially designed to 
purify Toffoli states. 

7 Simulations of the protocol 

Proving the Universal Composability of our algorithm may 
seem at first like a daunting task. Surprisingly, this is not the 
case, and the simulation turns out to be almost trivial. We 
sketch the main details of the simulation in the full version. 
Here we simply note a few key features which we use: 

1 . We rely heavily on the universal composability of clas- 
sical multiparty computation, and therefore use an ideal 
Classical Trusted Third Party (called here C - TTP to 
stress that it's classical) in our simulation. 

2. The preparation step of the protocol is generic and in- 
dependent of the inputs (and even the function we eval- 
uate). This makes its simulation trivial. 

3. Using teleportation enables us to avoid passing quan- 
tum data in the input and output phases of the protocol. 
Instead, the players only pass (and obtain) classical data 

'it might be possible to use Bravyi and Kitaev's technique in (5] and 
thus obtain exponential fidelity after passing a constant barrier. However, 
using their technique would require us to describe the entire calculation in 
F21 instead of in Z p as we did here. 
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to (and from) the C — TTP. Moreover, this data is uni- 
formly distributed and independent of the quantum data 
in the computation. 

4. For any group containing < t players, the results of any 
transversal measurement done during the computation 
are random, uniformly distributed, and independent of 
the encoded quantum state which is being measured. 
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A A Zero Purity Test 

We describe a simple zero purity test for states \<fio), ■ ■ ■ \<fiw) 
(for some w), to test if they are all authenticated correctly 
and are encoding the qudit |0). Choose ao,...a w En. 
{0, 1, . . . ,p} and calculate the transformation a i\4>i) — > 
\<f>o) where the sum is done by using SUM. Then, open up 
(i.e., measure) the new state |0 O ). Correct the state you 
have using the keys, applying shifts and multiplications. You 
should be holding a polynomial of degree < d with free co- 
efficient 0. Run the same check (with new random numbers 
and without \(p } which was already spent) on the Fourier 
transform of the states, although now the free coefficient is 
random. Iterating this s times spends 2s states and gives the 
desired fidelity. All the operations (multiplying with con- 
stants, SUM's and measurements) are done with the help of 
the classical TTP, as only the TTP holds the classical keys. 

In a way similar to the definitions of authenticated states, 
let M be the Hilbert space which holds the remaining states 
I'M, ■ • ■ , \4>w-2s), let |V>) = \Auth(0))®\Auth(0))®- ■ -<g> 
\Auth(0)} e M, and let V be a Hilbert space of dimension 
2, with basis states |ac), |re). Define projectors 

= |^| ® I v + I M ® | re )(re| - |^)(^| <8> |re)(re| 
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= (I M -H)m®\ac)( a c\ 

Lemma A.l. The result of the zero purity test has fidelity 1 — 
0(p~ s ) to the space spanned by p\^\ If the adversary did 
not change the authenticated state the output will be ® 
|ac). 

The proof of the lemma is deferred to the final version. 



Aulh Auth 



B Weak Quantum Secret Sharing 

In this appendix, we give the detailed protocol for sharing 
states using WQSS. 



Protocol Weak-Quantum-Secret-Sharing (Dealer D, Dealer 

Key kdealer^ 

1. Preparation Dealer D: Encode many (2s + 2, where 
s is the security parameter) zeros using the quantum 
polynomial code of degree t and length n. For each 
zero encoded send the ith share to Pi, using the au- 
thenticated channel established in section[3] Note that 
the authenticated channel is used with the same k^ecier 
all the time, but with different x's. 

2. All players and classical-TTP: Using random num- 
bers generated by the classical TTP, the players per- 
form transversal random sums, both in the standard 
and the Fourier basis. The players measure 2s of their 
shares (s checks in each basis) and send the results to 
the classical TTP. 

3. Classical-TTP: Discard values which do not authenti- 
cate correctly. These values must come from bad play- 
ers (we are using verified authenticated channels). 

4. Classical-TTP: If errors are detected in the outer 
polynomial code the dealer is faulty. All players are 
informed and the protocol is aborted. 

5. All players: The players collectively generate an EPR 
pair from the two remaining zeros and send one half of 
the pair to the dealer. 

6. Sharing Dealer: Decode the EPR-half you haveli] and 
using quantum teleportation send the secret, giving 
your measurement results to the TTP. This results 
only in a change of keys — the players do not need to 
act on their states or manipulate any new information. 



Underlined and words are the name of the phase. The phase continues 
until a new phase begins. 

1 1 Note that the dealer can perform this step only because he knows all 
the keys he used in step 1 . 



Figure 1: Schematic of Weak QSS 

C Details of VQSS 

Below is the detailed protocol for sharing in VQSS: 



Protocol Share- VQSS (Dealer D, Secret ip, Key for the se- 
cret kd ea i er , Player Keys k l for 1 < i < n) 

1 . Preparation Phase Dealer: Prepare many (2s + 2) ze- 
ros and encode them with the polynomial code of de- 
gree t and length n. Send the i'th share (Ri) to the 
i'th player using the authenticated channel using key 

ealer • 

2. Player Pf. Take each state shared by the dealer, and 
share it using WQSS and your key k % . Mark the j'th 
share as Ri j. Note that for each zero-share Pi got from 
the dealer, she has to generate 2s + 2 new zeros. 

3. All players and classical-TTP: Perform transversal 
random sums in both standard and Fourier basis to 
check that the zeros shared by the dealer are OK. All 
results are sent to the classical TTP. Note that the 
shares R+j are being manipulated here, and that 2s of 
the original zeros are being spent. 

4. Classical-TTP, operating on the measurement results 
that were given by the players: If a measurement result 
on Ri j is not authenticated, Pj is faulty and this result 
should be ignored. If Ri is not properly reconstructed 
as a state authenticated by the dealer, Pi is faulty; in- 
form all players of this. If the top level does not decode 
to |0) (when ignoring faulty i?/s), the dealer is faulty. 
If the dealer is faulty the classical TTP tells that to all 
the players and the dealer is kicked out. 

5. Generating EPR All players Pj with the help of 
classical-TTP: Using transversal operations on two 
shared zeros generate an EPR pair. This is done by 
acting on Rij shares. 

6. Sending the EPR Half to the Dealer Player Py. Send 
half of the pair created from the Rij's to Pi. 

7. Player Pf. Using the shares you received (using only 
ones which are correctly authenticated by you) decode 
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Figure 2: Schematic of VQSS 



Ri and send it back to the dealer. Note that Pi knows 
k l , and does not need the help of the classical TTP 
here. 

8. Dealer: Decode the state you received, discarding any 
incorrectly authenticated shares. 

9. Getting Rid of kdeaier Players Pj with the help of 
classical-TTP: Using transversal Clifford operations 
remove the top level authentication. This is possible as 
each Ri was authenticated and the qudits were shared 
by Pi. Using transversal operation on these qudits we 
can decode Ri and leave this coordinate protected only 
by WQSS using k l . This step is not essential for VQSS 
but only for MPQC. 

10. Sharing Dealer: Share your secret using quantum tele- 
portation, passing measurement results to the classical 
TTP. This only results in changes of x keys (just like 
the sharing in WQSS). 



Let Pi, . . . (3 m G 7L V be distinct nonzero points. Look at 
the state 



E E E E (i/c&).-./(a»)> 

a,b de S (/)<d deg(g)<d deg(h)<2d 
/(0) = o 9 (0)=i) h(0) = 

(/?i),...,g(/3 m ),M/3i),...,M/3 m )> 



Note that this state can be created exactly by Clifford oper- 
ations (which are free in the model we discuss). Now, for 
1 < i < m use a polynomially good Toffoli state (one of the 
m states we have left after the first part of the purification) to 
perform a Toffoli gate on coordinates i, m + i, 2m + i. If the 
Toffoli states were ideal this should result in the state |t) = 



E E E E (i/ca). 

a,b deg(f)<d deg(g)<d deg(fi)<2d 
/(0) = a g(0) = b h(0) = ab 

®\g(lh),...,g(Pm),h{Pi) ) 



,f(Pm)) 



As the entire m states have exponentially good probability 
to a state in H goo d, with exponentially good probability we 
can correct d/2 mistakes on each one of the three codes, and 
be in a state which has exponential good fidelity to |r). De- 
coding the state using only Clifford group operations we get 
a state with exponential fidelity to ~ ^ a & \ a, b, ab), which 
is the Toffoli State. 

Note that the error rate in this purification step drops from 
rj down to We can select a (polynomially) large d 

or iterate the procedure with smaller d to obtain the desired 
fidelity. 



D Purifying Toffoli States 

We present an algorithm to purify Toffoli states, which is 
interesting in its own right. Each Toffoli state allows us to 
perform one Toffoli gate; a perfect Toffoli state gives a per- 
fect Toffoli gate, whereas a state with error e produces a gate 
which is 0(e) away from a correct Toffoli gate. Then we can 
use techniques of fault-tolerant quantum computation to turn 
these noisy gates into an exponentially more reliable one. 
Choose some m and d, with m = 3d + 1, p > m, m = 

0(8). 

Let Hg 00 d be the space spanned by m Toffoli states which 
were affected by at most m/8 non-identity Pauli operations. 
Then any m Toffoli states coming from players who have 
passed the polynomial state tomography phase will have fi- 
delity 1 — 2~°^ to their projection on H goo d- We now show 
how to distill a single exponentially good Toffoli state from 
the Tji states. 
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